Windows – Capture And Analyze Mobile Device Network Traffic

Introduction

You can collect a lot of useful information about an application’s backend services by observing the network connections it makes. For example, you can find out whether data is being sent to the back-end service securely over TLS or is sent as clear text.

It is relatively easy to monitor network traffic on a PC or a laptop using a network interface sniffer but for a mobile device it can get a little tricky.

The article explains the steps to capture network traffic of a mobile device using Windows 7 (and above) by creating a rogue WiFi access point .  We then use existing free tools on the PC to analyze the captured packets.

Step 1: Configure A WiFi HotSpot (access point)

Windows 7 (and above) allows setting up an access point using the “Microsoft Virtual WiFi Miniport Adapter”. However I found it much easier to set up the access point using a third party software called mHotspot  which uses the Microsoft Virtual WiFi Miniport Adapter underneath but greatly simplifies the setup process.

  • Download and install mHotspot from here.
  • Launch mHotspot.
  • Enter the access point name in the “Hotspot Name” field.
  • Enter a “Password” value.  This value will be the password  a device will need when connecting to this access point.
  • Select an “Internet Source”. If you are connected using a cable select “Local Area Network”. If you are on a WiFi network, select “Wireless Network Connection”.
  • Click on the “Start HotSpot” button.
mHotspot
Create an access point using mHotspot

Step 2: Connect Device

Connect your device (iPad, Android phone, etc) to the WiFi access point as you would connect to any regular wireless network.  The password required to connect would be the same as specified in step 1.

Step 3: Launch WireShark

By creating an access point, we are asking the device to connect to the PC and then the PC in turn routes the traffic to the internet.  Therefore, by capturing the internet traffic on the PC,  we can observe the connections the mobile device makes.

What we want to do here is to make sure we *only* capture the traffic from the mobile device and not every internet packet on the wire including  packets originating from the PC itself.

  • Goto Start -> Control Panel  -> Network And Sharing Center -> Change Adapter Settings
  • Right click the connection that says “Microsoft Virtual WiFi Miniport Adapter”  and click “Properties”.  It will also have the name of the access point that you created above.

Virtual wifi miniport

  • Select “Internet Protocol Version 4” (or Version 6 if you use IPv6) and click the “Properties” button.  Note the IP address of the interface.

IP address of interface

  • Launch WireShark.  You can download a free copy from here.
  • In WireShark, go to Menu -> Capture -> Interfaces and select the interface with the same IP address that you noted for the virtual  WiFi miniport interface above. Make sure to deselect all other interfaces in the dialog.

start capture

  • Click the Start button to start capturing traffic.   Wireshark will now capture  all network traffic for the rogue access point only.

ipad snip

  • Once you are done with the capture, quit WireShark and save the captured packets as a *.pcap file.

Step 4:  Analyze Traffic Using Network Miner

  • Launch Network Miner.  A free version is available here.
  • Network Miner takes the captured data saved from WireShark and helps in easy analysis.  You can also analyze the packets using WireShark.

network miner

Conclusion

A rogue WiFi access point can be used to capture network data from any device that connects to it over WiFi and is not limited to mobile devices only.

For example you can use the same trick to capture the network traffic  when your Nintendo Wii talks  to NetFlix over the internet by connecting the device to the rouge access point.

This trick is handy both while debugging applications or while performing a security review.

This is also a very good reminder why you should never connect to untrusted access points that might also be doing something very similar.